The following description relates generally to an apparatus and method of diagnosing whether a computer program executed in a computer system is a malicious program, and more particularly, to an apparatus and method of diagnosing whether a computer program is a malicious program using a behavior of a computer program, and an apparatus and method of generating malicious code diagnostic data.
Conventional malicious program detection technology collects samples of known malicious programs, extracts a character string that is the signature of the malicious program from the collected samples, and determines whether a particular computer is infected with the malicious program by determining whether the extracted character string exists in the files of a diagnostic target computer system, and the like.
When a new malicious program is discovered, a malicious program diagnosing apparatus must be developed to identify the new malicious program, extract a predetermined character string that is the signature of the new malicious program, and detect the malicious program. The existing malicious program diagnosing apparatus may not detect the new malicious program before information about the new malicious program is added. As a result, damages from the new malicious program may not be prevented. In addition, the number of character strings that are the signatures of malicious programs increase in proportion to the increase in the number of malicious programs. Therefore, it takes more time for the malicious program diagnosing apparatus to detect the existence of the character string that is the signature of the malicious program.
For example, in the case of a mobile device that is supplied with power using a battery and the like, such as a mobile phone, a personal digital assistant (PDA), and other like mobile devices, the mobile device consumes power to extract a character string from a particular computer program and verify whether the extracted character string is the same as a character string corresponding to the signature of an existing malicious program. As a result, time available to run the mobile device is inevitably reduced due to power consumed for malicious program detection.
Furthermore, according to conventional practices, if a hacker's attacks reveal a vulnerability of a computer, a program manufacturer may guard against the hacker's attacks using a patch program that corrects the vulnerability. However, there are no distinct solutions for other attacks on any other underlying vulnerabilities.
Most malicious programs are not new programs that differ significantly from existing malicious programs. Instead, most malicious programs are variants of existing malicious programs. However, in order to detect the variants of the malicious program, a new character string that is extracted from each variant must be used instead of a character string that is extracted from the existing malicious program. Therefore, a plurality of character strings must be provided to detect a plurality of variants, respectively.